[Smcwg-public] Approved Minutes of SMCWG October 14, 2020
Stephen.Davidson at digicert.com
Sun Nov 1 10:39:46 MST 2020
Minutes of SMCWG
October 14, 2020
These are the Approved Minutes of the Teleconference described in the
subject of this message.
Adrian Mueller (SwissSign), Ahmad Syafiq Md Zaini (MSC Trustgate.com),
Andreas Henschel (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust
DataCard), Burkhard Wiegel (Zertificon), Chris Kemmerer (SSL.com), Dean
Coclin (DigiCert), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC
Trustgate.com), Hongquan Yin (Microsoft), India Donald (Federal PKI), James
Knapp (Federal PKI), Janet Hines (SecureTrust), Jeff Ward (WebTrust),
Li-Chun Chen (Chunghwa Telecom), Morad Abou Nasser (TeleTrust), Patrycja
Tulinska (PSW), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE),
Rich Smith (Sectigo), Rufus Buschart (TeleTrust), Russ Housley (Vigil
Security), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems),
Thomas Zermeno (SSL.com), Tim Crawford (WebTrust), Tsung-Min Kuo (Chunghwa
Telecom), Wendy Brown (Federal PKI)
1. Roll Call
The Roll Call was taken.
2. Read Antitrust Statement
The Antitrust/Compliance Statement was read.
3. Review Agenda
4. Approval of minutes from last teleconference
The minutes of the September 30 teleconference were approved.
5. Discussion of approach and deliverables
The discussion continued regarding the fields in S/MIME leaf certificates.
keyUsage: there was discussion relating to the encipherOnly and decipherOnly
keyUsages that may accompany keyAgreement for ECDH, which were noted as
being part of a key escrow scheme that is not known to be in common use.
Following discussion, it was proposed these might be marked as "MAY but not
recommended". It was agreed that there is great variety in deployment for
split vs dual use keys: settings will need to be specified for split vs dual
extendedKeyUsage: It was agreed that emailProtection MUST be present and
serverAuth, codesigning, timestamping, anyExtendedKeyUsage, and ocspSigning
MUST NOT be present.
It was agreed that MAY should include clientAuth, Adobe Authentic Documents
Trust, Microsoft Document Signing. There was a discussion regarding default
deny versus providing flexibility and future innovation. Settings will need
to be specified for split vs dual use keys.
basicConstraints: If present, cA field MUST NOT be set true and
pathLenConstraint field MUST NOT be present.
SKI: pick up from BR.
AKI: Identical to SKI in the issuing CA cert. authorityCertIssuer and
authorityCertSerialNumber must not be populated.
certificatePolices: Define a CABF certificate policy OID asserting
compliance with the SMCWG Baseline, and allow CA specific certificate policy
OIDs. There was discussion regarding the use of expanding the OIDs to
include a baseline email-verified versus a subject-verified OID, and the
potential interest of Relying Parties in information such as the use of key
escrow or cryptographic tokens.
MAY be present: cps (if present, MUST contain a valid HTTP or HTTPS link to
the CPS) and user notice.
Discussion returned to the subject of key escrow; it was argued that keys
with a digitalSignature MUST not be escrowed.
It was decided that a strawman would be further discussed on OID option, at
least for marking out a roadmap, but that it was likely that for the initial
version a single OID for the SMCWG Baseline would be adopted.
AIA: OPTIONAL use of caIssuers and ocsp (latter if present MUST contain at
least one publicly accessible HTTP URI). AccessDescription MUST NOT contain
any labels or parameters that are specific to an individual certificate.
There was discussion relating to the use of LDAP, noting that it should be
allowed but if included must be publicly available.
6. Any Other Business
No other business.
7. Next call
The next call will take place on October 28, 2020 at 11:00am Eastern Time.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Smcwg-public